The invention relates in general to network security. In particular the invention relates to managing a network security application, such as a firewall, security gateway, Intrusion Detection System (IDS) or Virtual Private Network (VPN) gateway.
Public networks are presently being used more and more for sensitive and mission critical communications and the internal networks of various organisations and enterprises are nowadays connected to the public networks, Internet being one of them. Since the basic mechanisms of the public networks were originally not designed with secrecy and confidentiality In mind, public networks are untrusted networks. To protect an internal network, a special network application or device is usually used to connect the internal network to a public network. This special network application is often called a security gateway or a firewall, and the purpose of a such network application is to prevent unauthorised access to the internal network. Typically there is need to restrict access to an internal network from a public network and/or to restrict access from the internal network to the public network or further networks connected to the public network.
In addition to security gateways and firewalls there is a plurality of other network security applications. For example, in intrusion detection systems (IDS) the traffic (data packets) flowing in a network is monitored and analysed in order to detect malicious or unauthorized actions in the network. Virtual private network (VPN) applications are used for connecting trusted parties to each other over untrusted public network through a secure tunnel. All traffic from a first party to a second party is encrypted by a VPN application of the first party, sent in encrypted form over the public network to the second party, where a VPN application decrypts the transmitted data and forwards the decrypted data to the recipient. The VPN is typically transparent to the processes that are communicating between each other and the encryption and decryption depend on the configuration of the VPN applications.
However, the above described network security applications cannot keep an effective security by themselves. The network security applications need to be carefully installed and configured, and the security policy needs to be evaluated and updated regularly, if the security application includes such security policy (e.g. VPN applications may not include a security policy). The contemporary development towards very complicated networks that need to have multiple user interfaces with the Internet for VPN (Virtual Private Network), the remote access, the e-business, the cache servers, etc. has increased the demands for administrative skills. Moreover, the surrounding network environment is fast changing and the updates need to be done in real time, detected flaws in the configuration and failures in the network security application operation need to be fixed as soon as possible in order to maintain required security level, connectivity and service availability. Also, the needs of the users may change over time and user information may need to be added or removed or modified.
Because the human factor plays a key role in failures of network security applications and security policies, it is important for a network security application and a system of network security applications to be easily administrable. Network security applications are often managed by a remote (fixed network) management system using a network connection and secured (encrypted) communication. The network security applications communicates with the management system, sending performance statistics, status information, alarms, and log data, while receiving policy updates and configuration changes. The management system may be part of the network security application or it may be a separate process, and a plurality of network security applications may be managed using one management system. Typically, there is a management user interface, via which the applications are managed. The management user interface may be remotely connected to the management system and/or the network security application.
The term network security application is used in this description for referring to any network security application or to a cluster of any network security applications, which are managed via a management user interface. The management user interface may be separate from the application itself or part of the application. A network security application may be, for example, a firewall node, a firewall node provided with Virtual Private Network (VPN) functionality, a network monitoring node, a virus scanning application or an IDS node.
FIG. 1 illustrates an example network topology with a first internal network 102, a second internal network 104 and Internet 100. The internal networks 102, 104 are connected to the Internet 100 via firewalls 108 and 108, respectively. Additionally, there is an IDS device 110 connected to the internal network 104.
The IDS device 110 monitors the data packets entering and exiting the internal network 104. Any of the network devices 106, 108, 110 may be implemented as one network node or as a cluster of network nodes. Then, there is a management user interface in computer 112 connected to the internal network 104. If internal networks 104 and 102 belong to the same organisation, all network devices 106, 108, 110 may be managed and configured using this management user interface 112, however typically there would be separate management user interfaces for the IDS device and firewalls. The actual management system may reside in the computer 112 and act as a central management system for the two firewalls, for example. Alternatively, the management system may be integral part of the firewalls.
Typically the management user interface and a central management system are in a fixed computer or work station connected to an internal network (or a plurality of such computers or work stations) and the connection between the management user interface and the network security applications Is a fixed connection. The reason for this is security (accessing the management system only from a physically secure location) and the fact that the management application is a complex application and running it for example over a conventional modem connection might be very slow. On the other hand, this means that this fixed computer or work station needs to be physically accessed in order to manage the managed applications. Thus, in order to react to information provided by the network security applications the management user interface needs to be monitored. The management system is commonly arranged to generate an alarm message, for example on a computer screen of a management user interface, as a response to predetermined (suspicious/malicious) actions or failures and therefore the output of the network security applications does not need to be analysed constantly. However, finding and fixing the conditions causing the alarm to go off requires human intervention, and therefore the alarms generated by the network security applications need to be monitored, by system administrators.
The network security applications are commonly arranged to send alarms for example to a predetermined pager device or as an SMS (Short Message Service) message to a predetermined mobile phone. Such pager device or mobile phone is typically carried with some administrator of the network security applications in order to receive the alarms instantly without somebody having to sit by the management user interface at all times. However, the alarm is only a short message indicating that something is wrong and the administrator receiving the alarm may not be even close to the management system or user interface, and therefore processing the alarm still needs the administrator to get to the management user interface in order to find out the reason for the alarm and to fix the situation.
It would be beneficial for the administrator to be able to fix the problem right away when receiving the alarm and therefore to be able to manage the network security applications in a more flexible manner and to respond to failures more rapidly.